Investigating vulnerability CVEs for PhotonOS-based appliances

search cancel

book

calendar_today

VMware Aria Suite

This KB serves as a guide to identify validity of reported vulnerabilities/CVEs in PhotonOS-based VMware applications from a security scan.

You have recently scanned the application using a vulnerability scanner and identified CVE(s) that are impacting the system.
You have checked the VMware product release notes, VMSAs, and have reviewed existing Knowledge Articles for the CVE in question and cannot ascertain its fixed state.

All PhotonOS-based VMware applications

Document the VMware application version by using the About or Help functions in the product UI.
Verify the PhotonOS version in an environment by running the following command:
cat etc/photon-release
Gather the audit data on how the scanner is looking for this vulnerability. This is often a simple rpm version check for PhotonOS based appliances.
Verify the rpm packages installed on the system:
rpm -qa | grep packagename
Compare this information from the appliance against the vulnerable version in the CVE and scan data.
1. As long as the package is on the version that the CVE has been fixed in or higher, or it doesn't show up, this verifies that the CVE has been fixed and can be safely ignored.
  1. Take this information to your scanning team and request they have a case opened with the necessary vulnerability scanner support team.
2. If you are unsure of the validity of the information you have collected, open a support case with VMware by Broadcom for additional guidance.
  1. Ensure you include the following:
    1. Scan data
      1. Vendor of vulnerability scanner
      2. Details of the checks being performed against the system
    2. Versions of VMware products
    3. PhotonOS version
    4. rpm -qa output.

thumb_up Yes

thumb_down No